My Health Record system participation obligations

A healthcare organisation that is participating in the My Health Record system is required to comply with a range of obligations set out under the following legislation:

Where the organisation is undertaking Assisted Registration;

Changes to your organisation

It is important to understand what changes your organisation may need to make before registering to participate in the My Health Record system, and to ensure ongoing compliance with the above legislation. Potential changes include:

Security

You will need to review, update, maintain, enforce and promote to staff policies that ensure the My Health Record system is used safely and responsibly. These policies need to address matters such as how authorised persons access the system, the training delivered to staff before accessing the My Health Record system, and the physical and information security measures used by the organisation.

See Privacy and Security.

User account management

You will need to confirm the IT system(s) staff use to access the My Health Record system employ reasonable user account management practices, including: restricting use, uniquely identifying users and secure access mechanisms (such as passwords).

Data quality

Your existing obligations to maintain your own detailed and accurate clinical records remains, and you are also responsible for ensuring that information uploaded to the My Health Record system complies with your participation obligations. This includes ensuring your employees are registered healthcare providers (i.e. they have a healthcare provider identifier; HPI-I) before they author any record that will be uploaded to the My Health Record system.

Ongoing participation obligations

Set out below are a number of ongoing obligations on a participating healthcare organisation. Please note, this is not an exhaustive list of obligations. If in doubt of your organisation’s obligations, you should contact the System Operator.

To participate in the My Health Record system, your healthcare organisation must:

  • not discriminate against an individual because they do not have a digital health record or because of their My Health Record's access control settings;
  • take reasonable steps to ensure that their employees exercise due care and skill so that any record uploaded to the My Health Record system is at the time it is uploaded, accurate, up-to-date, not misleading and not defamatory;
  • not upload a clinical document to the My Health Record system where an individual has withdrawn consent to the uploading of that clinical document;
  • only upload a clinical document to the My Health Record system that has been prepared by a person who is a registered healthcare provider (i.e. has an HPI-I) and whose registration is not conditional, suspended, cancelled or lapsed;
  • tell the System Operator as soon as practicable after becoming aware of a potential or actual data breach, that is:
    • there has been an unauthorised collection, use or disclosure of health information included in an individual's My Health Record; or
    • an event has, or may have, occurred that compromises, or may compromise, the security or integrity of the My Health Record system;
  • tell the System Operator, within two business days of becoming aware, of a non-clinical My Health Record system-related error in a record, or your organisation undergoes a material change;
  • tell the System Operator within 14 days if your organisation has ceased to be eligible to be registered (for example, the organisation has cancelled its HPI-O);
  • give the System Operator necessary assistance in relation to any inquiry, audit, review, assessment, investigation or complaint regarding the My Health Record system;
  • develop, maintain, enforce and communicate to staff written policies relevant to the My Health Record system to ensure that interaction with the My Health Record system is secure, responsible and accountable, and to provide a copy of your policy to the System Operator on request; for more information see [A healthcare organisation that is participating in the My Health Record system is required to comply with a range of obligations set out under the following legislation:

Where the organisation is undertaking Assisted Registration;

Changes to your organisation

It is important to understand what changes your organisation may need to make before registering to participate in the My Health Record system, and to ensure ongoing compliance with the above legislation. Potential changes include:

Security

You will need to review, update, maintain, enforce and promote to staff policies that ensure the My Health Record system is used safely and responsibly. These policies need to address matters such as how authorised persons access the system, the training delivered to staff before accessing the My Health Record system, and the physical and information security measures used by the organisation.

See Privacy and Security.

User account management

You will need to confirm the IT system(s) staff use to access the My Health Record system employ reasonable user account management practices, including: restricting use, uniquely identifying users and secure access mechanisms (such as passwords).

Data quality

Your existing obligations to maintain your own detailed and accurate clinical records remains, and you are also responsible for ensuring that information uploaded to the My Health Record system complies with your participation obligations. This includes ensuring your employees are registered healthcare providers (i.e. they have a healthcare provider identifier; HPI-I) before they author any record that will be uploaded to the My Health Record system.

Ongoing participation obligations

Set out below are a number of ongoing obligations on a participating healthcare organisation. Please note, this is not an exhaustive list of obligations. If in doubt of your organisation’s obligations, you should contact the System Operator.

To participate in the My Health Record system, your healthcare organisation must:

  • not discriminate against an individual because they do not have a digital health record or because of their My Health Record's access control settings;
  • take reasonable steps to ensure that their employees exercise due care and skill so that any record uploaded to the My Health Record system is at the time it is uploaded, accurate, up-to-date, not misleading and not defamatory;
  • not upload a clinical document to the My Health Record system where an individual has withdrawn consent to the uploading of that clinical document;
  • only upload a clinical document to the My Health Record system that has been prepared by a person who is a registered healthcare provider (i.e. has an HPI-I) and whose registration is not conditional, suspended, cancelled or lapsed;
  • tell the System Operator as soon as practicable after becoming aware of a potential or actual data breach, that is:
    • there has been an unauthorised collection, use or disclosure of health information included in an individual's My Health Record; or
    • an event has, or may have, occurred that compromises, or may compromise, the security or integrity of the My Health Record system;
  • tell the System Operator, within two business days of becoming aware, of a non-clinical My Health Record system-related error in a record, or your organisation undergoes a material change;
  • tell the System Operator within 14 days if your organisation has ceased to be eligible to be registered (for example, the organisation has cancelled its HPI-O);
  • give the System Operator necessary assistance in relation to any inquiry, audit, review, assessment, investigation or complaint regarding the My Health Record system;
  • develop, maintain, enforce and communicate to staff written policies relevant to the My Health Record system to ensure that interaction with the My Health Record system is secure, responsible and accountable, and to provide a copy of your policy to the System Operator on request; for more information see]6
  • not retain a copy of any record code, or document code, given to you by an individual that provides access to the patient's My Health Record;
  • ensure the IT systems which your organisation uses to access the My Health Record system use conformant software when connecting to, and interacting with, the My Health Record system; and
  • where the organisation is the Seed organisation in a network of connected healthcare organisations, to ensure that access flags are established and maintained that balance reasonable patient expectations about the sharing of health information and arrangements within the organisation for access to health information collected by the organisation.

For more information on an organisation's participation obligations, visit myhealthrecord.gov.au.